15 Nov
2011
15 Nov
'11
4:15 a.m.
Alex Balashov writes:
The problem, as you well know, is that not having the
check allows a
user A to impersonate the identity of any other user B, as long as
user A has his own valid credentials for himself.
yes, i well know it and therefore one needs to check if the user really
owns the uri or not. to make an automatic invalid check is in my opinion
a very bad idea, since according to rfc3261 uri userpart does not have
anything to do with user's authentication username.
-- juha